A new phishing campaign impersonating Microsoft 365 uses a fake renewal process to steal your business, personal and financial information. It begins with a simple HTML email and leads recipients through a polished, multi-step phishing journey designed to look like a legitimate Microsoft 365 subscription workflow.
Along the way, victims are prompted to select a plan, enter personal details, provide credit card information, submit a PIN, and finally call a phone number after being told their account has been locked. The threat is currently being intercepted by MailGuard’s AI-powered filter network.
The phishing email arrives with the display name Microsoft 365 and uses the sender address info(at)msofficerenew-service(dot)com. The sending address is postmaster(at)msofficerenew-service(dot)com.
The subject line seen in the example is: Reminder for Office-365 Renewal
The message claims that the recipient’s Microsoft 365 renewal has failed and urges them to act before a specified date. It includes a prominent Re-Subscribe button and a phone number presented as a support contact.
At first glance, the message is simple. But once clicked, the scam unfolds across several steps, each designed to create credibility and increase the likelihood that the victim will continue.
Stage one, fake subscription selection page
The first page presents a fake Microsoft 365 marketplace-style screen asking the user to choose which plan they are “renewing.”
It displays multiple subscription options, including one-year, two-year, three-year, five-year, and even “lifetime” plans. This is an immediate red flag. The page attempts to mimic Microsoft branding and layout, but the pricing structure and subscription flow are inconsistent with legitimate Microsoft purchasing experiences.
The purpose of this first stage is simple. It gets the victim comfortable. Rather than immediately asking for credentials or payment details, it imitates a familiar online purchase flow.
Stage two, fake confirmation page
After the user selects a plan, they are taken to a confirmation page that continues the illusion of a legitimate subscription process.
The layout remains consistent, with the same oversized banner and a staged workflow showing progress through steps such as choosing a plan, confirming, billing, and receiving a result.
This staged process is a common social engineering tactic. It reassures the user that they are participating in a normal transaction, not responding to a phishing attempt.
Stage three, billing details and personal data capture
The next page asks for a wide range of personal and financial information, including:
The page also displays an order summary showing a Microsoft 365 subscription fee, reinforcing the impression that the user is completing a standard payment step.
This is where the scam moves from deception to theft. Any information entered here can be used for fraud, identity theft, or further attacks.
Stage four, PIN verification prompt
After submitting billing details, the user is shown a pop-up asking them to Enter Security PIN. The wording is vague, but that ambiguity is part of the design. Attackers often use generic prompts like this to capture any extra security information a victim may be willing to provide.
The request for a PIN also adds another layer of apparent legitimacy. It suggests that the site is performing a security check, when in fact it is simply collecting more sensitive information.
Final stage, fake account lock and callback prompt
The final page informs the victim that their account has been locked due to suspicious activity and displays an error code. It instructs them to call a phone number to resolve the issue.
This step is significant because it suggests the scam may not end with stolen payment data. It may also be designed to transition into a callback or phone-based social engineering attack, where the victim is manipulated into handing over even more information.
By this point, the scam has already harvested a substantial amount of data. The fake lockout page adds confusion, pressure, and urgency, all while attempting to make the interaction feel more authentic.
This attack is effective because it does not rely on a single page or a rushed request for credentials. Instead, it walks the victim through a sequence that feels structured and believable.
Several features make it more convincing:
The use of a domain like msofficerenew-service(dot)com may also catch out users who are moving quickly and only glance at the sender name rather than inspecting the actual address.
There are several warning signs in this campaign:
Sophisticated phishing campaigns increasingly resemble legitimate customer journeys. That is why users should treat unsolicited renewal, billing, or account issue emails with caution, especially when they create urgency or request immediate action.
Stay Safe, Know the SignsMailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.
Avoid emails that:
Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's specialist AI-powered, zero-day email security. Special Ops for when speed matters! Our real-time zero-day, email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.